💼 AC-6 Least Privilege (M)(H)

• ID: /frameworks/fedramp-high-security-controls/ac/06

Stats

not available

Description

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

Similar

• Sections
  • /frameworks/nist-sp-800-53-r5/ac/06
• Internal
  • ID: dec-c-e3bc71a5

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	78		no data

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		85		no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AC-6(1) Authorize Access to Security Functions (M)(H)		4	4		no data
💼 AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)		1	6		no data
💼 AC-6(3) Network Access to Privileged Commands (H)		1	6		no data
💼 AC-6(5) Privileged Accounts (M)(H)		3	5		no data
💼 AC-6(7) Review of User Privileges (M)(H)		2	2		no data
💼 AC-6(8) Privilege Levels for Code Execution (H)					no data
💼 AC-6(9) Log Use of Privileged Functions (M)(H)		8	32		no data
💼 AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)		1	5		no data

Policies (50)

Policy	Logic Count	Flags	Compliance
🛡️ AWS Account Root User has active access keys🟢	1	🟢 x6	no data
🛡️ AWS DMS Replication Instance is publicly accessible🟢	1	🟢 x6	no data
🛡️ AWS EBS Snapshot is publicly accessible🟢	1	🟢 x6	no data
🛡️ AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances🟢	1	🟢 x6	no data
🛡️ AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2🟢	1	🟢 x6	no data
🛡️ AWS EC2 Instance IMDSv2 is not enabled🟢	1	🟢 x6	no data
🛡️ AWS EC2 Instance with an auto-assigned public IP address is in a default subnet🟢	1	🟢 x6	no data
🛡️ AWS ECS Service automatically assigns public IP addresses🟢	1	🟢 x6	no data
🛡️ AWS ECS Task Definition runs as privileged🟢	1	🟢 x6	no data
🛡️ AWS ECS Task Definition Readonly Root Filesystem is disabled🟢	1	🟢 x6	no data
🛡️ AWS EKS Cluster allows unrestricted public traffic🟢	1	🟢 x6	no data
🛡️ AWS IAM Access Key is unused🟢	1	🟢 x6	no data
🛡️ AWS IAM Customer Managed Policy allows KMS decryption actions on all KMS keys🟢	1	🟢 x6	no data
🛡️ AWS IAM Group Inline Policy allows KMS decryption actions on all KMS keys🟢	1	🟢 x6	no data
🛡️ AWS IAM Policy allows full administrative privileges🟢	1	🟢 x6	no data
🛡️ AWS IAM Role Inline Policy allows KMS decryption actions on all KMS keys🟢	1	🟢 x6	no data
🛡️ AWS IAM User has inline or directly attached policies🟢	1	🟠 x1, 🟢 x5	no data
🛡️ AWS IAM User Inline Policy allows KMS decryption actions on all KMS keys🟢	1	🟢 x6	no data
🛡️ AWS IAM User with credentials unused for 45 days or more is not disabled🟢	1	🟢 x6	no data
🛡️ AWS Lambda Function allows public access🟢	1	🟠 x1, 🟢 x5	no data
🛡️ AWS Lambda Function is not in a VPC🟢	1	🟢 x6	no data
🛡️ AWS OpenSearch Domain fine-grained access control is not enabled🟢	1	🟢 x6	no data
🛡️ AWS OpenSearch Domain has a public endpoint🟢	1	🟢 x6	no data
🛡️ AWS RDS Cluster IAM Database Authentication is not enabled🟢	1	🟢 x6	no data
🛡️ AWS RDS Instance IAM Database Authentication is not enabled🟢	1	🟢 x6	no data
🛡️ AWS RDS Snapshot is publicly accessible🟢	1	🟢 x6	no data
🛡️ AWS Redshift Cluster is publicly accessible🟢	1	🟢 x6	no data
🛡️ AWS S3 Access Point is not configured to block public access🟢	1	🟢 x6	no data
🛡️ AWS S3 Bucket ACL allows public read or write access🟢	1	🟢 x6	no data
🛡️ AWS S3 Bucket is not configured to block public access🟢	1	🟢 x6	no data
🛡️ AWS S3 Bucket Policy allows public read or write access🟢	1	🟢 x6	no data
🛡️ AWS SageMaker Notebook Instance Direct Internet Access is not disabled🟢	1	🟢 x6	no data
🛡️ AWS SageMaker Notebook Instance is not in a VPC🟢	1	🟢 x6	no data
🛡️ AWS SageMaker Notebook Instance Root Access is not disabled🟢	1	🟢 x6	no data
🛡️ AWS VPC is not configured with a VPC Endpoint for Amazon EC2 service🟢	1	🟢 x6	no data
🛡️ AWS VPC Subnet Map Public IP On Launch is enabled🟢	1	🟢 x6	no data
🛡️ Google BigQuery Dataset is anonymously or publicly accessible🟢	1	🟢 x6	no data
🛡️ Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Instance External Authorized Networks whitelists all public IP addresses🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Instance has public IP addresses🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off🟢	1	🟢 x6	no data
🛡️ Google GCE Instance has a public IP address🟢	1	🟢 x6	no data
🛡️ Google IAM Service Account has admin privileges🟢	1	🟢 x6	no data
🛡️ Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level🟢	1	🟢 x6	no data
🛡️ Google KMS Crypto Key is anonymously or publicly accessible🟠🟢⚪		🟠 x1, 🟢 x2, ⚪ x1	no data
🛡️ Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock🟢	1	🟢 x6	no data
🛡️ Google Project with KMS keys has a principal with Owner role🟢	1	🟢 x6	no data
🛡️ Google Storage Bucket is anonymously or publicly accessible🟢	1	🟢 x6	no data
🛡️ Google Storage Bucket Uniform Bucket-Level Access is not enabled🟢	1	🟢 x6	no data
🛡️ Google User has both Service Account Admin and Service Account User roles assigned🟢	1	🟢 x6	no data